How to run sops -d to decrypt HelmRelease resource

[nichoio]

Hi,
i'm aware that Flux v2 exists, however i'm stuck with 1.14 of Kubernetes, so v2 is out of option AFAIK.
I'm trying to create a workflow using Flux, Helm Operator and Sops. I'm aware of #2804 and #3078 , however i thought, i could simply encrypt a HelmRelease resource locally, using sops -e --config .sops.yaml release.yaml > release.enc.yaml, commit that release.enc.yaml and let Flux decrypt it by using a .flux.yaml file. Like so roughly:

version: 1
commandUpdated:
  generators:
    - command: sops -d --output release.yaml release.enc.yaml

I believe this file is incomplete, however i'm having trouble understanding how to work with commandUpdated or patchUpdated exactly. I simply would like to decrypt the values: section of a HelmRelease, next i would expect Helm-Operator to discover the resource and apply it.

values.yaml i use for the Helm chart of Flux v1:

git:
  url: (...)
  branch: (...)
  pollInterval: 2m
registry:
  disableScanning: true
sync:
  interval: 2m
rbac:
  create: false
serviceAccount:
  create: true
  name: flux-sa
ssh:
  known_hosts: (...)
gpgKeys:
  secretName: flux-sops-gpg
manifestGeneration: true
sops:
  enabled: true

Any help is appreciated.

[nichoio]

Nevermind, i figured it out, however i ended up using kustomize which i originally did not intend.
.flux.yaml (release.enc.yaml contains values for a HelmRelease resource, encrypted with SOPS):

version: 1
patchUpdated:
  generators:
    - command: sops -d --output overlay/release.yaml overlay/release.enc.yaml && kustomize build overlay/
    - command: rm overlay/release.yaml
  patchFile: overlay/release.yaml